Netlify believes that the JAMStack approach to building websites and apps offers clear security benefits by default, and we at Netlify take security extremely seriously as a matter of principle. Our operations and business are SOC-2 certified, our staff are trained on security current best practices, and we pay close attention to handling of your data and access to our systems. It should speak for itself that we have the explicit intention to serve all sites using SSL in the future, and have a strong affiliation with Let’s Encrypt.
You can find out some more details about our security practices on our security page. You’ll see there that all our internal traffic is encrypted, sensitive information such as passwords and access keys are encrypted at rest, and that we have disaster recovery plans that have been thoroughly tested, we contract external agencies for regularly scheduled penetration testing, and at the DNS layer we run two completely redundant DNS networks so we have something in place to failover to if needed.
Nonetheless, if you feel you have found a security problem on our platform, we want to hear about it immediately! We have a commitment to working to resolve legitimate issues as quickly as possible to protect Please report it to firstname.lastname@example.org (this also activates our Bug Bounty program!) We very much appreciate your responsible reporting of potentially sensitive issues.
You’ll need to get in touch with Netlify support in advance of any planned tests to obtain this permission. Please also note that we require at least a week’s notice before you’d launch a test, and once permission is granted, we’ll be happy to work with you to verify your test is working correctly and help you interpret the results.